Dailydave mailing list archives

Re: Vuln scoring system anyone?

From: Brian <bmc () snort org>
Date: Tue, 1 Mar 2005 16:23:38 -0500

On Tue, Mar 01, 2005 at 04:00:55PM -0500, security curmudgeon wrote:

What if someone posted a Snort signature for a new vuln before a vendor 
ack'd it? You have no proof that its a valid vulnerability yourself, but 
you have a detailed advisory from a reputable security researcher and a 
respected snort sig writer that tested the vulnerability and wrote a 
signature to monitor for exploitation. 

That has to count for something, yes?


Reputable & Respected count for quite a bit.  Both of those words were
missing from your first email.  Who decides who is reputable & respected?

Since this conversation is on dailydave, I'll use Dave as an example.
(Sorry Dave.) Do you trust Dave's commentary?  If you do, how do you
know Dave made the comment, since he doesn't cryptographically sign
his emails?

I'm all for a better classification of vulnerabilities.  The
classification that I use for snort rules is *HORRID*.  A decent
standard would be very useful.

However, I forsee many problems with attaching respect to
vulnerability classification.

Brian
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Vuln scoring system anyone?, (continued)
- - - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Blue Boar (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Oliv (Mar 02)
    - Re: Vuln scoring system anyone? Tom Parker (Mar 02)
    - Re: Vuln scoring system anyone? Jason (Mar 02)
    - Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
    - RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
    - Re: Vuln scoring system anyone? Blue Boar (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)

(Thread continues...)